ZyXEL Communications NXC2500 Troubleshooting Manual
  1. Manuals
  2. Brands
  3. ZyXEL Communications Manuals
  4. Controller
  5. NXC2500
  6. Troubleshooting manual

ZyXEL Communications NXC2500 Troubleshooting Manual

Nxc series. wireless lan controller
Hide thumbs Also See for NXC2500:
Table of Contents

Advertisement

Quick Links

See also: Handbook , User Manual
NXC series
NXC2500/NXC5500
Wireless LAN controller
Firmware Version 4.20~4.30
Edition 1, 9/2016
Troubleshooting Guide
Default Login Details
LAN Port IP Address
User Name
Password
https://192.168.1.1
admin
1234
www.zyxel.com
1/124

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the NXC2500 and is the answer not in the manual?

Questions and answers

Related Manuals for ZyXEL Communications NXC2500

Summary of Contents for ZyXEL Communications NXC2500

  • Page 1 NXC series NXC2500/NXC5500 Wireless LAN controller Firmware Version 4.20~4.30 Edition 1, 9/2016 Troubleshooting Guide Default Login Details LAN Port IP Address https://192.168.1.1 User Name admin Password 1234 1/124...

  • Page 2: Table Of Contents

    www.zyxel.com 1 Basic Information ........................4 1.1 Check Firmware Version ....................4 1.2 Issue Definition ........................4 1.3 Device Configuration File ....................5 1.3 Collect System Log ......................6 1.4 Collect dmesg and/or disklog ..................7 2 Capture Packets ........................8 2.1 Capture Ethernet Packets ....................
  • Page 3 www.zyxel.com 6.1 Symptom: Cannot see the Captive Portal on wireless device (cannot find the webpage) or NXC managed page is redirected instead of Captive Portal ....53 6.2 Symptom: Login denied ....................64 7 Roaming ..........................69 7.1 What is Roaming ........................ 69 7.2 What’s the setting conditions of roaming ..............

  • Page 4: Basic Information

    www.zyxel.com 1 Basic Information 1.1 Check Firmware Version Access NXC via GUI shows FW version. Figure 1 DASHBOARD > Dashboard > Device Information Access NXC via SSH/Telnet/Console shows FW version. Figure 2 Tera Term > NXC > Router# show version If the Firmware version is not the latest version, please upgrade the firmware version to the latest version.

  • Page 5: Device Configuration File

    www.zyxel.com Figure 3 Example of Network Topology Important key points in the topology Gateway of each subnet  DHCP server  Auth. Server (RADIUS or AD)  VLAN settings  1.3 Device Configuration File Download startup-config.conf. Figure 4 MAINTENANCE > File Manager > Configuration File Figure 5 Tera Term >...

  • Page 6: Collect System Log

    www.zyxel.com  If there are multiple devices in environment, collect the config files of all devices as possible.  If there are multiple tagged VLAN in environment, make sure have the switch config of VLAN settings are correct.  Make sure NXC is the only AP controller (replies to CAPWAP Discovery Request) in the network.

  • Page 7: Collect Dmesg And/Or Disklog

    www.zyxel.com  Indicate the date/time and IP/MAC address of the device in report.  Set log to external syslog server or email to monitor device log if system log flushes frequently. 1.4 Collect dmesg and/or disklog Collect demesg file via Terminal Software. Figure 8 Tera Term >...

  • Page 8: Capture Packets

    www.zyxel.com Note: The dmesg will be cleared after rebooted, but the disklog will be kept in device. 2 Capture Packets 2.1 Capture Ethernet Packets 2.1.1 Use WLAN controller/AP Capture packets via controller GUI. Set the parameters and press ‘Capture’ Figure 10 MAINTENANCE > Diagnostics > Packet Capture > Capture Download the packet.

  • Page 9: Use Ap Cli (Ap Cannot Save Captured Packets)

    www.zyxel.com Check packets via CLI on controller. Figure 12 Tera Term > NXC > Router# packet-trace interface <interface> Press “Ctrl+c” to end of packets capturing. 2.1.2 Use AP CLI (AP cannot save captured packets) Check packets via CLI on AP. Figure 13 Tera Term >...

  • Page 10: Set Mirror Port On Switch

    www.zyxel.com Winpcap is also bundled with Wireshark. The new Win10pcap is able to capture packets with 802.1Q VLAN tags: http://www.win10pcap.org/ Win10pcap supports only Win7 and later windows system. 2.1.4 Set Mirror Port on Switch Select the source port, destination port, and the flow direction, then connect the capture device to the destination port and start capture.

  • Page 11: Use Linux

    www.zyxel.com Set a managed AP to MON mode, and apply the MON profile. Select the MON mode AP and press ‘Capture’ Figure 16 MAINTENANCE > Diagnostics > Wireless Frame Capture > Capture 2.2.2 Use Linux Use the following command to set your WLAN card into monitor mode: $ sudo ifconfig wlan0 down $ sudo iwconfig wlan0 mode monitor $ sudo ifconfig wlan0 up...

  • Page 12: Use Windows

    www.zyxel.com Then open Wireshark and capture the interface wlan0. Please refer to the KB for more detailed instructions: http://kb.zyxel.com/KB/searchArticle!viewDetail.action?articleOid=015072 &lang=EN 2.2.3 Use Windows Windows does not support wireless monitor mode natively, you will need extra software (e.g. OmniPeek Network Analysis Software) and USB adapter with specialized driver to capture wireless packets.
  • Page 13 www.zyxel.com Figure 19 RJ-45-to-DB-9 Console Cable Color Codes For NWA5KN/ NWA3KN series: Provided with the product package Figure 20 Console Cable for NWA5KN/ NWA3KN series For NWA512X series/ WAC6103D-I: Please find a cable and connect to the pins according to the description in this KB: http://kb.zyxel.com/KB/searchArticle!viewDetail.action?articleOid=015102 &lang=EN...

  • Page 14: Serial Console Settings

    www.zyxel.com 3.2 Serial Console Settings Terminal Software: Tera Term http://ttssh2.osdn.jp/ PuTTY http://www.chiark.greenend.org.uk/~sgtatham/putty Serial port setup: Baud rate 115200 bps No parity, 8 data bits, 1 stop bit No flow control Figure 22 Tera Term > Setup > Serial port Figure 23 PuTTY > Session > Serial > Speed 14/124...
  • Page 15 www.zyxel.com Save log: Enable Timestamp for log in Tera Term, which will record the time slot with logs. Figure 24 Tera Term > File > Log Figure 25 PuTTY > Logging > All session output 15/124...
  • Page 16 www.zyxel.com Enable console log level 8 (show console debug messages) Hot key for enable console log level 8: ‘Send break + 8’ to serial console. Figure 26 TeraTerm > Control > Send break and press ‘8’ Figure 27 PuTTY > move cursor to the top bar (right click) > Special Command >...

  • Page 17: Managed Ap

    www.zyxel.com 4 Managed AP Figure 28 The following table describes the icons in this screen. 4.1 Symptom: Managed AP doesn’t show on the AP management list If the AP mode was changed to the managed and it doesn’t show on the AP list after wait a long times, please follow the steps to troubleshooting.
  • Page 18 www.zyxel.com Select “Manual” for registration type. Figure 30 CONFIGURATION > Wireless > Controller > configuration NXC: Select “Always Accept” or “Manual” for registration type. Always Accept: Controller trusts the managed AP automatically. Manual: User trusts the managed AP. Figure 31 CONFIGURATION > Wireless > Controller > configuration If the option is “Manual”, don’t forget to trust the managed AP.
  • Page 19 www.zyxel.com DHCP table: If the DHCP server is one of the ZyXEL devices - UAG, ZyWALL and NXC, you can check the IP by GUI. Figure 34 DASHBOARD > Dashboard > System Status Figure 35 DASHBOARD > Dashboard > System Status > DHCP Table Console: Get the IP by connecting console cable to access AP via terminal software.
  • Page 20 www.zyxel.com Figure 39 AP broadcast the CAPWAP packet to controller When AP gets the IP, you will see the IP shows on the console. Figure 40 Tera Term > AP > Router > show interface all Check the mode of unified AP If the AP is unified access point, please access the AP via SSH or console cable to check the mode.
  • Page 21 www.zyxel.com Manual: Set the AC-IP by user. Figure 45 CONFIGURATION > MGNT Mode > Managed AP > Static IP Note: If you have many managed APs on site will set AC-IP, we suggest that set the AC-IP on the DHCP with option 138. The managed APs get the IP will also know the AC-IP and send the CAPWAP packet to controller ask for managing.
  • Page 22 www.zyxel.com Write the AC-IP address by console: Figure 48 Tera Term > AP > Router > show capwap ap ac-ip If you know the AC-IP, you can also write the IP directly via console. Figure 49 Tera Term > AP > Router > configure terminal > capwap ap ac-ip <AC-IP1>...
  • Page 23 www.zyxel.com the Ethernet device or network cable. Figure 52 Tera Term > NXC > Router > ping <AP-IP>  Check switch, router or firewall whether blocks the traffic or CAPWAP port 5246. Trace route: Use trace route to find the packets are dropped out on where. Figure 53 Tera Term >...

  • Page 24: Symptom: Managed Ap Offline

    www.zyxel.com Download log files. Figure 56 MAINTENANCE > Diagnostics > Diagnostics > Files > Download Provide topology/controller config/packet/remote access/Diagnostic info to HQ to do advanced check. 4.2 Symptom: Managed AP offline If the AP has managed by controller before and the color of AP icon is gray, please follow the steps to troubleshooting.
  • Page 25 www.zyxel.com Can managed AP and NXC communicate with each other? How to know APs off-line cause by external factors? Information collection and report the issue to the HQ. Check the configuration of controller (USG/ ZyWALL/ NXC). If customer’s topology has USG or ZyWALL, please make sure “Registration Type”...
  • Page 26 www.zyxel.com Does AP get the IP? Check IP address via DHCP table or access AP by console cable. DHCP table: If the DHCP server is one of the ZyXEL devices - UAG, ZyWALL and NXC, you can check the IP by GUI. Figure 62 DASHBOARD >...
  • Page 27 www.zyxel.com  Check the switch configuration, like port blocked, VLAN setting…etc.  Capture the Ethernet packets by Wireshark. Figure 65 The process of AP asks the IP from DHCP server. Figure 66 AP gets the IP. Figure 67 AP broadcast the CAPWAP packet to controller When AP gets the IP, you will see the IP shows on the console.
  • Page 28 www.zyxel.com If you know the AC-IP, you can also write the IP directly via console. Figure 72 Tera Term > AP > Router > configure terminal > capwap ap ac-ip <AC-IP1> <AC-IP2> > write > exit > rebot Note: If there is only one controller in the topology, write the controller’s IP in the <AC-IP1>...
  • Page 29 www.zyxel.com  Check switch, router or firewall whether blocks the traffic or CAPWAP port 5246. Trace Route: Use trace route to find the packets are dropped out on where. Figure 76 Tera Term > AP > Router > traceroute <AC-IP> Use Wireshark capture CAPWAP packets between controller and managed AP to check the status of network traffic.
  • Page 30 www.zyxel.com  Does the network cable plug-in the port properly.  Does the network cable have a good qualify?  Does someone touch the network cable or turn off the APs?  Check the PoE status of switch. Does the PoE SW power off the port? ...

  • Page 31: Symptom: Managed Ap Error With Conflict

    www.zyxel.com Download log files. Figure 81 MAINTENANCE > Diagnostics > Diagnostics > Files > Download Provide topology/controller config/packet/remote access/Diagnostic info to HQ to do advanced check. 4.3 Symptom: Managed AP error with conflict When the color of managed AP icon is red, it means AP has configuration conflict.
  • Page 32 www.zyxel.com There is some information you have to know the troubleshooting and follow the order of the steps. The procedure of the troubleshooting: Check the configuration of the controller Check AP’s wireless card Information collection and report the issue to the HQ Check the configuration of the controller Example of VLAN Conflict: mismatches management VLAN ID Figure 84 MONITOR >...
  • Page 33 www.zyxel.com Figure 87 CONFIGURATION > Wireless > AP Management > Mgnt. AP List > Edit > Edit AP List > VLAN Settings Check the “Override Group VLAN setting” and “Force Overwrite VLAN Config” boxes to modify the VLAN ID of controller for having same management VLAN ID as the managed AP.
  • Page 34 www.zyxel.com Check the root cause. Figure 89 MONITOR > Wireless > AP Information > AP List > More Information Figure 90 CONFIGURATION > Wireless > AP Management > Mgnt. AP List. Figure 91 MONITOR > Wireless > AP Information > Radio List. Figure 92 MONITOR >...
  • Page 35 www.zyxel.com Figure 93 CONFIGURATION > Wireless > AP Management > AP Group > Edit > Radio 2 Setting Edit Managed AP by single  Figure 94 CONFIGURATION > Wireless > AP Management > Mgnt. AP List > Edit Check managed AP status on controller. Figure 95 MONITOR >...
  • Page 36 www.zyxel.com Tx/Rx PKT count, Rx FCS Error Count, Tx Retry Count and TX Power show zero. Figure 97 MONITOR > Wireless > AP Information > Radio List Check the WLAN status of managed AP with n/a via console. Figure 98 Tera Term > Router > show interface all Check the wireless card status of managed AP via console.
  • Page 37 www.zyxel.com Example of NWA3K-N with abnormal status: It shows none. Figure 101 Tera Term > AP > Router> show wlan all Example of NWA5120 series with normal status: It shows PCI wifi1 and the information of interface. Figure 102 Tera Term > AP > Router >_debug show file /proc/interrupts Figure 103 Tera Term >...
  • Page 38 www.zyxel.com There is no wlan-2-1 info. Figure 105 Tera Term > AP > Router> _debug wireless_dbg iwconfig Let the managed AP implement cold start (unplug/plug in the power of managed AP). If wireless card status still in abnormal, please RMA the AP. Information collection and report the issue to the HQ Capture the related logs file from controller and managed AP.

  • Page 39: Symptom: Managed Ap Keep Updating

    www.zyxel.com Download log files. Figure 108 MAINTENANCE > Diagnostics > Diagnostics > Files > Download Provide topology/controller config/packet/remote access/Diagnostic info to HQ to do advanced check. 4.4 Symptom: Managed AP keep updating If a group of APs has upgraded the FW and there is a several AP still keeps updating, please collect the info to HQ by following steps.
  • Page 40 www.zyxel.com This issue may cause by below reasons: For NWA3000-N series, it could be caused by boot code version is 1.13 Unstable network connection between controller and managed AP Upgrade process could not pass through NAT if Controller or managed is in different network Collect the information To clarify the root cause, please follow the steps.
  • Page 41 www.zyxel.com If the boot module is newer than v1.13, please upgrade the FW to the  2.23 patch 8. Unstable network connection between controller and managed AP Ping test between controller and managed AP via SSH to check the network connection on both directions is stable (no long latency or ping drop).
  • Page 42 www.zyxel.com Note: Capture the logs need to spend some time, please kindly wait. Collect log files of managed AP by controller GUI Select the managed AP to the Collected APs. Figure 117 MAINTENANCE > Diagnostics > Diagnostics > Collect on AP > Collect Now.

  • Page 43: Wireless

    www.zyxel.com 5 Wireless 5.1 Symptom: Cannot see the SSID name. There are some information you have to know from customer and follow the order of the questions you will know how to troubleshooting. The procedure of the troubleshooting: 1. Check the configuration of the controller (USG/ ZyWALL/ NXC). 2.
  • Page 44 www.zyxel.com Check the radios if binding the correct band? (Radio 1 is 2.4GHz band and radio 2 is 5GHz band) Figure 121 CONFIGURATION > Object > AP Profile > Radio > Edit Figure 122 CONFIGURATION > Wireless > AP Management > AP Group > Edit The AP using the channel is the Weather Radar? If using the channels has overlap with the 112~120 must waiting 10 min and using the DFS channels need waiting 1 min just will be seen the SSID.
  • Page 45 www.zyxel.com Note: If using the tunnel mode and then the CAPWAP is disconnected (AP status on NXC AP information is “offline”) the SSID also will be cannot see the SSID. (Please refer the topic for “Managed AP”) Information collection and report the issue to the HQ. Capture the related logs file from controller and managed AP.
  • Page 46 www.zyxel.com Download log files. Figure 126 MAINTENANCE > Diagnostics > Diagnostics > Files > Download Provide topology/controller config/packet/remote access/Diagnostic info to HQ to do advanced check. Capture the packet for wireless Use OmniPeek (software) to capture wireless packet between STA and AP. If the user cannot use the OmniPeek (software) to capture wireless packet, please use another NWA3000-N series and NWA5000 –N series to set monitor mode to capture wireless packet, and packet capture feature on NXC...
  • Page 47 www.zyxel.com The station list info of associated AP: Figure 128 MONITOR > Wireless > Station Info 47/124...

  • Page 48: Symptom: Connection Failure

    www.zyxel.com 5.2 Symptom: Connection Failure There are some information you have to know from customer and follow the order of the questions you will know how to troubleshooting. The procedure of the troubleshooting: Check the configuration of the controller (USG/ ZyWALL/ NXC). Environment Verification Information collection and report the issue to the HQ.
  • Page 49 www.zyxel.com Using the Wi-spy to scanning the environment have others interference. Information collection and report the issue to the HQ. Capture the related logs file from controller and managed AP. Collect log files of controller by GUI Capture the entire category to provide RD completed information. Figure 129 MAINTENANCE >...
  • Page 50 www.zyxel.com Figure 130 MAINTENANCE > Diagnostics > Diagnostics > Collect on AP > Collect Now Download log files. Figure 131 MAINTENANCE > Diagnostics > Diagnostics > Files > Download Provide topology/controller config/packet/remote access/Diagnostic info to HQ to do advanced check. Capture the packet for wireless Use OmniPeek (software) to capture wireless packet between STA and AP.

  • Page 51: Symptom: Wireless Low Throughput

    www.zyxel.com Display all wireless interfaces on station and Access Point. Figure 132 Laptop> cmd > netsh wlan show interface all The station list info of associated AP: Figure 133 MONITOR > Wireless > Station Info 5.3 Symptom: Wireless low throughput There are some information you have to know from customer and follow the order of the questions you will know how to troubleshooting.

  • Page 52: Captive Portal

    www.zyxel.com  Check the AP output power is 100% or not. We suggest the AP power is 50% or less than 50%, it is because the client’s output power is less than AP, so it will caused the AP can be sent the packet for client but the packet cannot be reached by AP.

  • Page 53: Symptom: Cannot See The Captive Portal On Wireless Device (Cannot Find The Webpage) Or Nxc Managed Page Is Redirected Instead Of Captive Portal

    www.zyxel.com 4. Authentication server authenticates. If NXC Controller DNS query the URL successfully. NXC controller will redirect Captive Portal to client’s laptop. 5. After successful authentication, user is allowed to access Internet. Figure 134 The flow chart of captive portal redirect on AP 6.1 Symptom: Cannot see the Captive Portal on wireless device (cannot find the webpage) or NXC managed page is redirected instead of Captive Portal...
  • Page 54 www.zyxel.com Redirect on AP  Check the topology. NXC controller location.  Internal or external Captive Portal?  Check the network. If the user login to the captive portal before? Information collection and report the issue to the HQ. Check the station get the IP can access Ethernet when disable captive portal.
  • Page 55 www.zyxel.com Confirm the computer can access internet. Figure 136 Computer > cmd > ping 8.8.8.8 The station get the IP can resolve the URL by valid DNS. If station gets the IP and DNS address, you can ping the global website to resolve the URL by valid DNS.
  • Page 56 www.zyxel.com Check the configuration of the NXC. If the NXC controller is not a gateway, please check the interface for station doing captive portal whether write the gateway IP address. Assume the stations in the VLAN10 must blocked by captive portal. The interface VLAN10 in the NXC controller must write the correct gateway IP address, otherwise;...
  • Page 57 www.zyxel.com Enable the auth. policy to “force” the source traffic. Figure 141 CONFIGURATION > Captive Portal > Redirect on Controller > Authentication Policy Rule Figure 142 CONFIGURATION > Captive Portal > Redirect on Controller > Authentication Policy Rule Note: Make sure the traffic matches the User Authentication Policy. As above screenshot, the traffic must from the range 192.168.10.33~192.168.10.200, otherwise;...
  • Page 58 Figure 144 CONFIGURATION > Object > AP Profile > SSID > SSID List For NXC2500 If a NXC2500 acts as a bridge switch, the uplink port must be set to P1 for authenticating the traffic via the Captive Portal from the clients.
  • Page 59 www.zyxel.com Enable the auth. policy to “force” the source traffic. The auth. policy rule in Redirect on AP is an SSID-based policy to filter the traffic from AP. Note: The forwarding mode of SSID must be local bridge. Figure 146 CONFIGURATION > Captive Portal > Redirect on AP > Authentication Policy Rule Figure 147 CONFIGURATION >...
  • Page 60 www.zyxel.com Select the policy for the AP group Note: Portal redirect on the AP still needs the controller to be involved in the authentication flow. If the connection to the controller is lost, there is an option to skip authentication. Check the topology.
  • Page 61 www.zyxel.com  Confirm the traffic between NXC and external captive portal web server is passing. Use NXC ping to the external captive portal web server.   Make sure the URL of Web pages are correct or not if it is external web portal.
  • Page 62 www.zyxel.com NXC can ping and resolve the global website such as Google (IPv4) successfully via console: Figure 151 Tera Term > NXC > Router > ping <Public DNS IP> If the user login to the captive portal before? If the user has logged into the captive portal before and didn’t log out, the station will still remain in the user list until the authentication times out.
  • Page 63 www.zyxel.com Check if user is still existed after user logout from NXC captive portal. If you still could see user’s IP address (192.168.10.33 as below screenshot) from the “Chain FORCE_AUTH”, it means the device (192.168.10.33) is used to access NXC via other account (like admin). Check the authentication policy is written in firewall NAT table in “Chain FORCE_AUTH_POLICY”.

  • Page 64: Symptom: Login Denied

    www.zyxel.com  Station can ping NXC and station opens new browser  Webpage is not redirected to Captive Portal (can’t find the webpage)  Stop capturing packet and download the captured files  Please indicate the IP of NXC, AP, station and the URL of the webpage which station is going to open.
  • Page 65 www.zyxel.com The procedure of the troubleshooting: 1. Login account doesn’t exist in server or password is incorrect. 2. Admin type cannot login captive portal page 3. Information collection and report the issue to the HQ. Login account doesn’t exist in server or password is incorrect. The error massage will be “login denied”...
  • Page 66 www.zyxel.com Information collection and report the issue to the HQ. Check the System & debug log of NXC System log on NXC could know why login denied in first place. Figure 159 MONITOR > Log > View log Choose debug log for more user information: Figure 160 CONFIGURATION >...
  • Page 67 www.zyxel.com Check debug log: From below screenshot, I type right username and password. Figure 161 MONITOR > Log > Display > Debug Log From below screenshot, I typed a username joy which existed in database but with wrong password.  The Auth User (test) result is 7.
  • Page 68 www.zyxel.com database.  The Auth User (test) result is 9. Figure 163 MONITOR > Log > Display > Debug Log Choose other debug log for more information: Active log and alert (AC): account, captive portal, authentication server, force authentication Figure 164 CONFIGURATION > Log & Report > Log Setting > System log > Edit >...

  • Page 69: Roaming

    www.zyxel.com 7 Roaming 7.1 What is Roaming When WiFi user walks from one AP’s coverage to the other AP’s without disconnection, we call roaming. For example, station 2 wants to walk from AP1’s coverage to AP2’s. Station 2 “Reassociation “ with AP2 first, and then “Deathauthentication” with AP1. Figure 166 The Process of Roaming 7.2 What’s the setting conditions of roaming The APs need to set the same SSID, security, and the same DHCP server.
  • Page 70 www.zyxel.com Figure 168 Configuration > Wireless > AP Management > Mgnt. AP List > Edit AP List > Radio1 Setting Checking the APs coverage range should overlap. (You may use the application to scan the signal, like inSSIDer) Figure 169 inSSIDer The station usually disconnect with AP when the RSSI lower than -60dBm, so the overlapping edge should not lower than -60dBm to avoid signal too weak for connection.

  • Page 71: The Limitation Of Roaming

    www.zyxel.com Figure 170 Tera Term > AP > Router> show wlan slot1 list all sta 7.3 The Limitation of roaming “Band Select” may potentially cause interruptions for time-sensitive  applications because of roaming delays The connection might be not stable if the “Load Balance” is enabled ...
  • Page 72 www.zyxel.com Figure 172 CONFIGURATION > Wireless > AP Management > AP Group > AP List Standalone AP Configure standalone AP SSID and Radio by below GUI page. Figure 173 CONFIGURATION > Object > SSID > SSID List > Edit SSID Profile Figure 174 CONFIGURATION >...
  • Page 73 www.zyxel.com overlapped area RSSI value, the station is not able to connect with AP. For example, the station signal threshold is -50dBmm, but the overlapped area RSSI is -60 to -65dBmm. Station is not able to connect with AP. The threshold is disabled in default setting, and can change in GUI. Figure 175 CONFIGURATION >...

  • Page 74: Symptom: Why Station Disconnect During Roaming

    www.zyxel.com Figure 176 Configuration > Wireless > AP Management > Mgnt. AP List > Edit AP List 7.5 Symptom: Why station disconnect during roaming If the station disconnect during roaming, please follow the steps to troubleshooting. 1. Check AP2’s the SSID, Security, and DHCP server are the same as AP1. 2.

  • Page 75: 802.1X Authentication

    www.zyxel.com Check AP1 and AP2’s coverage overlap If the AP1 and AP2’s coverage don’t overlap, the station disconnect when roaming. Check RSSI of overlapped area If the RSSI is lower than -65dBm, the station might disconnect because of weak signal. 8 802.1X authentication How should we do when the 802.1X authentication failed with RADIUS, AD and LDAP? There are three phases for you to find what the problem let the...

  • Page 76: Symptom: The 802.1X Authentication Failed With Remote Authentication Dial In User Service (Radius)

    www.zyxel.com for configuration and network and the issue is still existed, then collect the regarding information for us to realize the symptom as soon as possible and fix it. Topology: There is an example for wireless station is authenticated by external authenticated server via NXC5500, which has managed VLAN on NXC5500 is VLAN 1 with IP range 192.168.100.x.
  • Page 77 www.zyxel.com Check the information of RADIUS is correct or not in the NXC. Note: Enter the correct password is same as the password in the RADIUS server for Key field. Figure 178 CONFIGURATION > Object > AAA Server > RADIUS > Edit. Check the information in the RADIUS is correct or not.
  • Page 78 www.zyxel.com Figure 181 CONFIGURATION > Object > AP profile > SSID > Security List > Edit Since RADIUS server support EAP protocol and depend on the topology, you can select the Internal or External for RADIUS server type.  RADIUS server type: Internal If use the EAP protocol by built-in FreeRADIUS of NXC, you need to add the NXC information in the RADIUS server be a trusted client.
  • Page 79 www.zyxel.com Figure 184 CONFIGURATION > Object > AP Profile > SSID > Security List > Radius Authentication Settings RADIUS server setting: If use the EAP protocol by RADIUS server, you need to add the AP information in the RADIUS server be a trusted client. Figure 185 Windows2008 RADIUS server >...
  • Page 80 www.zyxel.com Check the security profile with 802.1X authentication. Figure 186 CONFIGURATION > Object > AP profile > SSID > SSID List > Edit Check AP whether set the AP profile that you created. Check the port number of RADIUS server To confirm the network traffic, please make sure the port of server is same as that configured in the NXC5500 and login the console of NXC and RADIUS server.
  • Page 81 www.zyxel.com The IP of RADIUS server The IP of AP External RADIUS server pings to NXC and AP. Figure 190 RADIUS server > cmd > ping <device’s IP> The IP of NXC The IP of AP Packet trace by NXC To confirm that the NXC has communication with external RADIUS server when the station do the 802.1X authentication.
  • Page 82 www.zyxel.com Information collection and report the issue to the HQ. After check the configuration and network verification and the authentication are still failed, please collect the information for us to analyze the symptom. Check all the options and press the bottom ”Collect Now”. It is necessary wait for some minutes.
  • Page 83 www.zyxel.com Select the interface and press the bottom “Capture” before station connect the SSID and do the 802.1X authentication. Figure 194 MAINTENANCE > Diagnostics > Packet Capture. The CLI command and debug log Follow below steps to retrieve the 802.1x debug log Login by console or SSH using admin account Figure 195 Tera Term >...
  • Page 84 www.zyxel.com Analysis for System logs and Packets Normal log and packets: From AC: STA Association. MAC: XX:XX:XX:XX:XX:XX, AP: Ext-User <user account> from 802.1x has logged in EnterpriseWLAN Figure 197 MONITOR > Log > View log From AP: Station had associated. Interface: wlan-X-X Station: XX:XX:XX:XX:XX:XX Station had authorized.
  • Page 85 www.zyxel.com RADIUS Server Event log: Network Policy Server granted full access to a user because the host met the defined health policy. Figure 199 Windows2008 RADIUS server > Event Viewer > Custom Views > ServerRoles > Network Policy and Access Servers Figure 200 RADIUS_server.txt 85/124...
  • Page 86 www.zyxel.com  Packet: Access-Accept Figure 201 Wireshark > Success_RADIUS.cap  RADIUS.log Figure 202 Success_RADIUS.cap > Wireshark No response from external RADIUS server: From AC: RADIUS: rejecting the user <user account> Figure 203 MONITOR > Log > View Log From AP Station had associated.
  • Page 87 www.zyxel.com  Packet: Access-Reject Figure 205 no radius server.cap > Wireshark  RADIUS.log Figure 206 lack of any response from home server.log Unknown user or wrong password: From AC RADIUS: rejecting the user <user account> Figure 207 MONITOR > Log > View Log From AP Station had associated.
  • Page 88 www.zyxel.com Station had disassoc. Interface: wlan-X-X Station: XX:XX:XX:XX:XX:XX Figure 208 MONITOR > Log > View AP Log  RADIUS Server Network Policy Server denied access to a user. Figure 209 Windows2008 RADIUS server > Event Viewer > Custom Views > ServerRoles >...
  • Page 89 www.zyxel.com Figure 211 Wrong_password.txt  Packet Figure 212 Wireshark > Wrong_password.cap  RADIUS.log Untrusted Controller From AC STA is blocked by Auth Failed(AAA Profile: <profile name>), MAC: XX:XX:XX:XX:XX:XX, Interface:wlan-X-X RADIUS: rejecting the user <user account> Figure 213 MONITOR > Log > View Log 89/124...
  • Page 90 www.zyxel.com From AP STA is blocked by Auth Failed(AAA Profile: <profile name>), MAC: XX:XX:XX:XX:XX:XX, Interface:wlan-X-X Station had associated. Interface: wlan-X-X Station: XX:XX:XX:XX:XX:XX Station had disassoc. Interface: wlan-X-X Station: XX:XX:XX:XX:XX:XX Figure 214 MONITOR > Log > View AP Log  RADIUS Server A RADIUS message was received from the invalid RADIUS client IP address 192.168.100.15.
  • Page 91 www.zyxel.com  Packet Figure 217 Wireshark > untrusted AC.cap  RADIUS.log Figure 218 untrusted AC_radius.log Untrusted AP From AC STA is blocked by Hostapd3. MAC: XX:XX:XX:XX:XX:XX, Interface:wlan-X-X Figure 219 MONITOR > Log > View Log From AP Station has associated. Interface: wlan-X-X Station: XX:XX:XX:XX:XX:XX 91/124...
  • Page 92 www.zyxel.com Station has deauth. reason <reason code>, flag= Interface:wlan-X-X , Station: XX:XX:XX:XX:XX:XX Station is blocked. reason <reason code>,event by Hostapd3, Interface:wlan-X-X , Station: XX:XX:XX:XX:XX:XX Figure 220 MONITOR > Log > View AP Log  RADIUS Server A RADIUS message was received from the invalid RADIUS client IP address 192.168.100.32.

  • Page 93: Symptom: The 802.1X Authentication Failed With Active Directory (Ad) Server

    www.zyxel.com  Packet: Access-Request Figure 223 Wireshark > untrusted AP.cap  RADIUS.log No RADIUS.log in the AC controller and AP 8.2 Symptom: the 802.1X authentication failed with Active Directory (AD) server The procedure of the troubleshooting: Check the configuration of the controller and AD server. Check the port number of AD server.
  • Page 94 www.zyxel.com Check the AD server information of NXC. There is an example with windows 2008 R2 AD server let us to double *Please confirm that the AD server pick up the Advanced Features of View before you check the information of DN. Figure 225 Windows2008 RADIUS server >...
  • Page 95 www.zyxel.com distinguishedName > view. It will show you the content that can be copied and pasted to the NXC in the field of Base DN. Figure 226 Windows2008 RADIUS server > Active Directory Users and Computers > Domain name(right click) > Properties > distinguished Name Bind DN: write the username who has privilege to set the configuration of...
  • Page 96 www.zyxel.com Server Authentication  User name (Must be a user who has rights to add a machine to the domain.)  Password: write the password of user name.  (You can also write the Administrator account that has complete rights.) ...
  • Page 97 www.zyxel.com After finish entering the information of AD server, you can input an account id of AD server for testing to make sure NXC can capture the user information by correct AD configuration. The Test Status will show you the message about the result of user authentication.
  • Page 98 www.zyxel.com Add the information of domain zone. Figure 233 Public DNS server: write the IP of DNS server can resolve the domain name. If you have no additional DNS server, you can write the IP of AD server. Figure 234 CONFIGURATION > System > DNS > Domain Zone Forwarder > Add.
  • Page 99 www.zyxel.com Check the security profile with 802.1X authentication. Figure 237 CONFIGURATION > Object > AP profile > SSID > SSID List. Check AP whether set the AP profile that you created. Check the AD server whether receive the information from NXC5500 and add the NXC5500 in the computers list automatically.
  • Page 100 www.zyxel.com Check the port number of AD server. To confirm the network traffic, please make sure the port of server is same as that configured in the NXC5500 and login the console of NXC and RADIUS server. Check the port number The default port of AD server in the NXC is 389.
  • Page 101 www.zyxel.com The IP of NXC The IP of AP Ping the domain name. If you use the AD server to authenticated clients, the NXC have ability to resolve the domain name. Figure 241 Tera Term > NXC > Router > ping <Domain name> If the NXC cannot resolve the domain name, please check the IP address of AD server and DNS configuration in the NXC, or write the command “nslookup <Domain name>”...
  • Page 102 www.zyxel.com The default port of AD server is 389. [CLI]: packet-trace interface <INTERFACE> port <port number> After typing the CLI command, and then let the station connect to the SSID to do the authentication. Information collection and report the issue to the HQ. After check the configuration and network verification and the authentication are still failed, please collect the information for us to analyze the symptom.
  • Page 103 www.zyxel.com Figure 245 MAINTENANCE > Diagnostics > Packet Capture. The CLI command and debug log Follow below steps to retrieve the 802.1x debug log Login by console or SSH using admin account Figure 246 Tera Term > NXC > Router> enable > debug authentication server log move to ftp Login controller by ftp server using admin account Download the /tmp/RADIUS.log from the ftp...
  • Page 104 www.zyxel.com Normal log and packets: From AC: STA Association. MAC: XX:XX:XX:XX:XX:XX, AP: Ext-User <user account> from 802.1x has logged in EnterpriseWLAN Figure 248 MONITOR > Log > View Log From AP Station had associated. Interface: wlan-X-X Station: XX:XX:XX:XX:XX:XX Station had authorized. Interface: wlan-X-X Station: XX:XX:XX:XX:XX:XX Figure 249 MONITOR >...
  • Page 105 www.zyxel.com No response from AD server From AC RADIUS: rejecting the user <user account> Figure 252 MONITOR > Log > View Log From AP Station had associated. Interface: wlan-X-X Station: XX:XX:XX:XX:XX:XX Station had disassoc. Interface: wlan-X-X Station: XX:XX:XX:XX:XX:XX Figure 253 MONITOR > Log > View AP Log ...
  • Page 106 www.zyxel.com  RADIUS.log Figure 255 no ad server_radius.log Unknown user or wrong password From AC RADIUS: rejecting the user <user account> Figure 256 MONITOR > Log > View Log or View AP Log From AP Figure 257 MONITOR > Log > View AP Log 106/124...
  • Page 107 www.zyxel.com  Packet: Access-Reject Figure 258 Wrong_password-AD.cap > wireshark  RADIUS.log Figure 259 Wrong_password-AD_radius.txt Wrong DNS From AC Figure 260 MONITOR > Log > View Log From AP Figure 261 MONITOR > Log > View AP Log 107/124...
  • Page 108 www.zyxel.com  Packet Figure 262 Wireshark > Wrong_DNS_AD.cap  RADIUS.log Figure 263 Wrong_DNS_AD.radius.log 108/124...

  • Page 109: Symptom: The 802.1X Authentication Failed With Lightweight Directory Access Protocol (Ldap) Server

    www.zyxel.com 8.3 Symptom: the 802.1X authentication failed with Lightweight Directory Access Protocol (LDAP) server The procedure of the troubleshooting: Check the configuration of the controller and LDAP server. Check the port number of LDAP server. Ping the LDAP server and AP Information collection and report the issue to the HQ.
  • Page 110 www.zyxel.com Base DN: write the domain name Bind DN: enter a user who has privilege to set the configuration of LDAP. In the example, the account of Administrator “ldapadmin” has the complete privilege for setting. The information of account is same as the account of login LDAP.
  • Page 111 www.zyxel.com Select the LDAP server you create. Figure 268 CONFIGURATION > Object > Auth. Method > Authentication method > Add Make sure the security list select the 802.1X authentication and correct LDAP server. Since LDAP server doesn’t support EAP protocol and cannot be an authentication server, so NXC has built-in FreeRADIUS server provide EAP protocol for station authentication.
  • Page 112 www.zyxel.com Check AP whether set the AP profile that you created. Check the port number of LDAP server To confirm the network traffic, please make sure the port of server is same as that configured in the NXC5500 and login the console of NXC and LDAP server.
  • Page 113 www.zyxel.com The IP of NXC The IP of AP Packet trace by NXC To confirm that the NXC has communication with LDAP server when the station do the 802.1X authentication. The default port of LDAP server is 389. [CLI]: packet-trace interface <INTERFACE> port <port number> After typing the CLI command, and then let the station connect to the SSID to do the authentication.
  • Page 114 www.zyxel.com Finish collecting the logs, download the file and send to us. Figure 274 MAINTENANCE > Diagnostics > Diagnostics > Files. Capture packets Select the interface and press the bottom “Capture” before station connect the SSID and do the 802.1X authentication. Figure 275 MAINTENANCE >...
  • Page 115 www.zyxel.com The CLI command and debug log Follow below steps to retrieve the 802.1x debug log Login by console or SSH using admin account Figure 276 Tera Term > NXC > Router> enable > debug authentication server log move to ftp Login controller by ftp server using admin account Download the /tmp/RADIUS.log from the ftp Figure 277 Computer >...
  • Page 116 www.zyxel.com From AC STA Association. MAC: XX:XX:XX:XX:XX:XX, AP: Ext-User <user account> from 802.1x has logged in EnterpriseWLAN Figure 278 MONITOR > Log > View Log From AP Station had associated. Interface: wlan-X-X Station: XX:XX:XX:XX:XX:XX Station had authorized. Interface: wlan-X-X Station: XX:XX:XX:XX:XX:XX Figure 279 MONITOR >...
  • Page 117 www.zyxel.com No response from external LDAP server From AC RADIUS: rejecting the user <user account> Figure 282 MONITOR > Log > View Log From AP Station had associated. Interface: wlan-X-X Station: XX:XX:XX:XX:XX:XX Station had disassoc. Interface: wlan-X-X Station: XX:XX:XX:XX:XX:XX Figure 283 MONITOR > Log > View AP Log ...
  • Page 118 www.zyxel.com Figure 285 no_LDAP_server_radius.log Unknown user or wrong password From AC Figure 286 MONITOR > Log > View Log From AP Figure 287 MONITOR > Log > View AP Log  Packet: Access-Reject Figure 288 Wireshark > wrong_password_LDAP.cap  RADIUS.log 118/124...

  • Page 119: The Configuration Of Windows Computer For 802.1X Authentication

    www.zyxel.com Figure 289 wrong_password_LDAP_radius.log 8.4 The configuration of windows computer for 802.1X authentication The computer with windows OS have to add a connection for connecting the SSID with 802.1X authentication, or it will be failed to connect. The configuration of device with windows 8 OS connect the SSID with 802.1X Open the “Network and Sharing Center”.
  • Page 120 www.zyxel.com Write the SSID you set in the field of “Network name” on the NXC5500 and select Security type and Encryption type you set in the AP profile of NXC5500. Figure 293 Computer > open Network and Sharing Center > Set up a new connection or network >...
  • Page 121 www.zyxel.com Uncheck the “Validate server certificate” and then click Configure… Figure 296 Computer > open Network and Sharing Center > Set up a new connection or network > Manually connect to a wireless network > Change connection settings > security > settings Uncheck “Automatically use my Windows login name and password (and domain if any).”...
  • Page 122 www.zyxel.com Go to ZT_AD Wireless Network Properties and click “Advanced settings”. Figure 298 Computer > open Network and Sharing Center > Set up a new connection or network > Manually connect to a wireless network > Change connection settings > security >Advanced settings Check “specify authentication mode”...
  • Page 123 www.zyxel.com Return to ‘Wireless Network Connection’, click the SSID you set manually before. Noted: If the ‘Encryption type’ setting does not meet the setting on NXC5500, you will see a red cross shown on the picture. Enter the username and password created on Windows server 2008 AD. The wireless authentication will succeed.
  • Page 124 www.zyxel.com 124/124...

This manual is also suitable for:

Nxc5500

Table of Contents